This document describes the steps a developer can take as to have a Micronaut application sourcing properties from Hashicorp Vault.
A branch for jira-gateway illustrates what needs to be done.
The build pipelines need to have VAULT_ADDR
set to a valid vault address and VAULT_TOKEN
set to whatever value for the builds to succeed.
Introduction
Applications currently source properties values through environment variables such as KAFKA_URL
in the following application.yml
example
kafka: bootstrap: servers: ${KAFKA_URL}
We want to have those values stored in Hashicorp Vault instead of having them set as environment variables, and we can achieve this transparently leveraging the Micronaut Vault integration feature.
The framework will lookup secrets in the Vault, and set the corresponding variables accordingly, reducing the steps to be taken by developers to the following:
1. Add the following dependency to build.gradle.kts
implementation("io.micronaut.discovery:micronaut-discovery-client")
2. Add the following to the application’s bootstrap.yml
, under the resources
directory
micronaut: application: name: my-awesome-app config-client: enabled: true vault: client: config: enabled: true kv-version: V2 secret-engine-name: secrets/app-properties uri: ${VAULT_ADDR} token: ${VAULT_TOKEN}
The micronaut.application.name
has to be here, set per actual application name, and can be removed from the application.yml
.
3. Use app’s Kotlin chart version >= 0.3.12
and add the following to the app's Helm chart’s values
kotlin: micronaut: vault: endpoint: https://vault.hcv.dev.safibank.online:8200 kubernetesAuthentication: true
With this configuration, Micronaut will fetch values from Hashicorp Vault at application startup and replace configuration placeholders automatically.
11:39:58.573 [main] INFO i.m.context.DefaultBeanContext - Reading bootstrap environment configuration 11:39:59.151 [main] INFO i.m.d.c.c.DistributedPropertySourceLocator - Resolved 4 configuration sources from client: compositeConfigurationClient(vault-config-client-v2) 11:39:59.216 [main] INFO io.micronaut.runtime.Micronaut - Startup completed in 796ms. Server Running: http://localhost:8080
In order to take new Vault values into account, such a Micronaut application has to be restarted.